The use of government emails as the backup and recovery email on many Yahoo accounts led to the exposure of more than 150,000 U.S. government and military employees in a recent Yahoo email breach, according to Andrew Komarov, chief intelligence officer at InfoArmor, who initially discovered the breach.
“The Yahoo database has special fields for password recovery,” said Komarov. “Many records in the dump had .gov and .mil password recovery.”
A Yahoo press release on the breach confirmed that “the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” which, according to Komarov, exposed where government employees work, their schedules, and the details of their contacts and conversations to those who purchased the hacked data.
“I personally have no doubt that users could be compromised,” said Komarov, explaining that the leak of such data would likely lead to cyber espionage, identity theft, and a number of other malicious attacks.
“During almost three years […] some bad actors used the stolen Yahoo database without Yahoo knowing about it,” Komarov added, explaining that the hack took place around the spring of 2013.
Though Kamarov couldn’t confirm exactly how many purchases of the data took place in those three years, he did track three sales, of which one was “potentially a state-sponsored actor.”
According to InfoArmor, the bad actors responsible for the data breach, called Group E, preferred to work through third-party sellers Peace_of_Mind and tessa88, as one was a Russian-speaking actor and the other English-speaking. However, the price for the data was suspiciously cheap, and, according to Kamarov, “that dump was not valid.”
“According to discovered information, both bad actors expected to receive the actual Yahoo dump under set conditions from the real hackers that the data will be monetized in an efficient and careful manner; however, this did not happen,” a September InfoArmor press release said. “The actual Yahoo data dump is still not available on any underground forums or marketplaces, and has been distributed from so called Group ‘E’ to one of their proxies for further monetization.”
The United States was not the only country with government and military data exposed in the Yahoo hack, as InfoArmor uncovered millions of records containing government employee information from countries around the world.
“We have sent the records with government emails to many agencies worldwide,” Komarov said, adding that it is not only Yahoo with a problem, as they have also detected a German email provider that encountered a similar hacking incident.
Though agencies cannot take back the exposure, Komarov suggested that agencies make an effort to discover exactly how many of their people were exposed, and what information that could have led to, adding that “it’s the task of law enforcement agencies to investigate at this time.”
“I would say not to use Yahoo or be very careful with official correspondence and contacts,” Komarov advised government employees, adding that agencies should be more aware of the online activity of their personnel. “It’s a bad idea to expose the details of any official work to any email or social media provider.”